Acquire Infrastructure: Virtual Private Server

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.

Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.[1]

ID: T1583.003
Sub-technique of:  T1583
Platforms: PRE
Version: 1.0
Created: 01 October 2020
Last Modified: 15 April 2021

Procedure Examples

ID Name Description
G0125 HAFNIUM

HAFNIUM has operated from leased virtual private servers (VPS) in the United States.[2]

G0088 TEMP.Veles

TEMP.Veles has used Virtual Private Server (VPS) infrastructure.[3]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References